From 13ee1b5e91c9a64356dbdb765c4de3ba84ad0eee Mon Sep 17 00:00:00 2001 From: Alfredo Oliviero Date: Mon, 22 Apr 2024 15:32:53 +0200 Subject: [PATCH] clients --- .../idm/controller/AuthController.java | 25 +++++++- .../gcube/service/idm/rest/ClientsAPI.java | 64 +++++++++++++------ .../org/gcube/service/idm/rest/RolesAPI.java | 7 +- .../org/gcube/service/rest/ErrorMessages.java | 4 ++ 4 files changed, 71 insertions(+), 29 deletions(-) diff --git a/src/main/java/org/gcube/service/idm/controller/AuthController.java b/src/main/java/org/gcube/service/idm/controller/AuthController.java index fcd933b..a5d0464 100644 --- a/src/main/java/org/gcube/service/idm/controller/AuthController.java +++ b/src/main/java/org/gcube/service/idm/controller/AuthController.java @@ -3,6 +3,8 @@ package org.gcube.service.idm.controller; import java.util.List; import java.util.Map; +import javax.ws.rs.ForbiddenException; + import org.gcube.common.keycloak.model.ModelUtils; import org.gcube.common.security.Owner; import org.gcube.common.security.providers.SecretManagerProvider; @@ -10,10 +12,17 @@ import org.gcube.common.security.secrets.Secret; public class AuthController { public final static String IDM_SERVICE_READ = "idm-service-read"; + + // can admin current context public final static String IDM_SERVICE_ADMIN = "idm-service-admin"; - public final static List ACCESS_READ_ROLES = List.of(IDM_SERVICE_READ, IDM_SERVICE_ADMIN); - public final static List ACCESS_ADMIN_ROLES = List.of(IDM_SERVICE_READ); + // can admin all realm, not only current context + public final static String IDM_SERVICE_REALM = "idm-service-realm"; + + public final static List ACCESS_READ_ROLES = List.of(IDM_SERVICE_READ, IDM_SERVICE_ADMIN, + IDM_SERVICE_REALM); + public final static List ACCESS_ADMIN_ROLES = List.of(IDM_SERVICE_ADMIN, IDM_SERVICE_REALM); + public final static List ACCESS_ADMIN_REALM_ROLES = List.of(IDM_SERVICE_REALM); public static String getAccessToken() { Map authorizations = SecretManagerProvider.get().getHTTPAuthorizationHeaders(); @@ -76,4 +85,16 @@ public class AuthController { return !owner.isApplication() && owner.getId().equals(username); } + public static void checkIsRealmAdmin(String message) throws ForbiddenException { + if (!checkAnyRole(ACCESS_ADMIN_ROLES)) { + throw new ForbiddenException(message); + } + } + + public static void checkIsContextmAdmin(String message) throws ForbiddenException { + if (!checkAnyRole(ACCESS_ADMIN_REALM_ROLES)) { + throw new ForbiddenException(message); + } + } + } diff --git a/src/main/java/org/gcube/service/idm/rest/ClientsAPI.java b/src/main/java/org/gcube/service/idm/rest/ClientsAPI.java index f30a054..0d597dc 100644 --- a/src/main/java/org/gcube/service/idm/rest/ClientsAPI.java +++ b/src/main/java/org/gcube/service/idm/rest/ClientsAPI.java @@ -7,12 +7,14 @@ import java.util.Set; import org.gcube.service.idm.IdMManager; import org.gcube.service.idm.controller.AdminKeycloakController; +import org.gcube.service.idm.controller.AuthController; import org.gcube.service.idm.controller.KCClientsController; import org.gcube.service.idm.controller.KCGroupsController; import org.gcube.service.idm.controller.KCRolesController; import org.gcube.service.idm.controller.KCUserController; import org.gcube.service.idm.keycloack.KkClientFactory; import org.gcube.service.idm.serializers.IdmObjectSerializator; +import org.gcube.service.rest.ErrorMessages; import org.gcube.service.rest.ResponseBean; import org.gcube.service.rest.ResponseBeanMap; import org.gcube.smartgears.annotations.ManagedBy; @@ -84,29 +86,38 @@ public class ClientsAPI { @QueryParam("client_id") String clientId) { ResponseBean responseBean = new ResponseBean(); - RealmResource realmResource = KkClientFactory.getSingleton().getKKRealm(); - ClientResource clientResource = null; - - // select the client by name, or current client if client_name parameter is - // null; - if (clientId == null) { - clientResource = KkClientFactory.getSingleton().getKKClient(); - } else { - - List clients = realmResource.clients().findByClientId(clientId); - - if (clients.size() == 0) { - throw new NotFoundException(); - } - String id = clients.get(0).getId(); - - clientResource = realmResource.clients().get(id); + if (clientId != null) { + AuthController.checkIsRealmAdmin(ErrorMessages.RESERVED_PARAMETER + "client_id"); } - RolesResource roles_resource = clientResource.roles(); - RoleResource role_resource = roles_resource.get(role_name); + // RealmResource realmResource = KkClientFactory.getSingleton().getKKRealm(); + // ClientResource clientResource = null; + + // // select the client by name, or current client if client_name parameter is + // // null; + // if (clientId == null) { + // clientResource = KkClientFactory.getSingleton().getKKClient(); + // } else { + + // List clients = + // realmResource.clients().findByClientId(clientId); + + // if (clients.size() == 0) { + // throw new NotFoundException(); + // } + // String id = clients.get(0).getId(); + + // clientResource = realmResource.clients().get(id); + // } + + // RolesResource roles_resource = clientResource.roles(); + // RoleResource role_resource = roles_resource.get(role_name); + // List user_members = + // role_resource.getUserMembers(firstResult, maxResults); + + List user_members = KCClientsController.getContextUsersByRole(clientId, role_name, + firstResult, maxResults); - List user_members = role_resource.getUserMembers(firstResult, maxResults); Object result = KCUserController.formatList(user_members, format_users); responseBean.setResult(result); @@ -159,7 +170,12 @@ public class ClientsAPI { @QueryParam("client_id") String clientId) { ResponseBean responseBean = new ResponseBean(); - + if (clientId != null) { + AuthController.checkIsRealmAdmin(ErrorMessages.RESERVED_PARAMETER + "client_id"); + } + + List user_members = KCClientsController.getMemberGroupUsers(clientId, firstResult, + maxResults); Object result = KCUserController.formatList(user_members, format_users); responseBean.setResult(result); @@ -215,6 +231,12 @@ public class ClientsAPI { @QueryParam("client_id") String clientId) { ResponseBeanMap responseBean = new ResponseBeanMap(); + if (clientId != null) { + AuthController.checkIsRealmAdmin(ErrorMessages.RESERVED_PARAMETER + "client_id"); + } + + + // String role_name = "Member"; boolean show_groups = !format_group.equals(KCGroupsController.REPR.none); diff --git a/src/main/java/org/gcube/service/idm/rest/RolesAPI.java b/src/main/java/org/gcube/service/idm/rest/RolesAPI.java index 098ba9b..aa60c2a 100644 --- a/src/main/java/org/gcube/service/idm/rest/RolesAPI.java +++ b/src/main/java/org/gcube/service/idm/rest/RolesAPI.java @@ -1,7 +1,5 @@ package org.gcube.service.idm.rest; -import java.rmi.ServerError; -import java.util.ArrayList; import java.util.List; import java.util.Set; @@ -175,16 +173,13 @@ public class RolesAPI { RolesResource roles_resource = client.roles(); RoleResource r = roles_resource.get(role_name); - // ruoli che danno quel + // ruoli che danno quel Set groups = r.getRoleGroupMembers(firstResult, maxResults); responseBean.putResult("roleGroupMembers", groups); - List users = r.getUserMembers(); responseBean.putResult("users", users); - - ObjectMapper objectMapper = IdmObjectSerializator.getSerializer(); String jsonData = objectMapper.writeValueAsString(responseBean); diff --git a/src/main/java/org/gcube/service/rest/ErrorMessages.java b/src/main/java/org/gcube/service/rest/ErrorMessages.java index 1f29d38..5321f3b 100644 --- a/src/main/java/org/gcube/service/rest/ErrorMessages.java +++ b/src/main/java/org/gcube/service/rest/ErrorMessages.java @@ -9,6 +9,10 @@ public class ErrorMessages { public static final String USER_NOT_AUTHORIZED_PRIVATE = "User is not authorized to access private data"; public static final String CANNOT_RETRIEVE_PROFILE = "Unable to retrieve user profile"; + public static final String RESERVED_PARAMETER = "The parameter can be used only by realm administrators: "; + + +